Intent-Based Enterprise Security Using Dynamic Learning of Network Segment Prefixes

This application is a continuation of U.S. patent application Ser. No. 18/584,531, filed 22 Feb. 2024, which is a continuation of U.S. patent application Ser. No. 17/301,278, filed 30 Mar. 2021, now issued U.S. Pat. No. 12,095,817, the entire content of each application is incorporated herein by reference.

The disclosure relates to computer networks and, more specifically, to implementation of security policies in a computer network.

Network providers and enterprises may use software-defined networking (SDN) in a wide area network (SD-WAN) to manage network connectivity among distributed locations or sites. SD-WAN enables businesses to create connections quickly and efficiently over the WAN, which may include the Internet and/or other transport networks that offer various WAN connection types and service levels.

Security policies enforce rules for traffic flow from one security zone to another security zone within a network by defining the kind(s) of traffic permitted from specified sources to specified destinations. Intent-based policies allow network administrators to create policies based on a desired outcome or business objective (the so-called “intent”) according to logical business structures such as groups of users, departments, geographic locations, or other workgroups. Network software then translates this intent to one or more security policies configured to implement the intent within the network.

In general, the disclosure describes techniques for automatically applying intent-based security policies in devices managed by a cloud-based network management system. For example, the disclosure describes techniques for automatically applying intent-based security policies in a network system in which devices (e.g., customer premises equipment (CPE) devices) dynamically learn network segment (e.g., LAN segment) prefixes for one or more network segments at one or more sites.

The techniques of the present disclosure may provide an advantage over other systems in which intent-based security policies based on dynamically learned LAN segment prefixes at one or more sites in a network are not possible. For example, the techniques of the present disclosure may enable implementation of more finely-grained intent-based security policies. In other words, rather than high level, coarse grained security policies that may are defined on a site-level basis, the techniques of the present disclosure allow finer-grained intent-based security policies to be defined at the segment level by specifying workgroups associated with network segment(s) at a site. In this way, intent-based security policies specifying workgroups associated with network segments may be specified. This fine-grained functionality allows more specificity in the types of business intents that can be realized in a software-defined wide area network.

In addition, by configuring CPE devices at each site to automatically query for and receive network segment prefixes for one or more other sites in the network, the techniques of the disclosure provide for distributed and periodic synchronization of all sites in the network without human intervention from the network administrator or the service orchestrator controller. Eliminating human intervention in the distribution of network segment prefixes may decrease the possibility of human errors or misconfigurations of devices in the network. Further, the service orchestrator controller does not have to explicitly synchronize the CPE device configurations for dynamically changing network segment addresses across the entire customer network; rather, the service orchestrator controller automatically receives and stores the network segment prefixes for each of the sites in its database, and the CPE devices themselves keep their mutual states synchronized in a distributed fashion by polling the segment-specific resource(s) periodically or on some other user-configurable basis. As a result, at any point the CPE devices in the network will have the latest state in the network without any intervention from the administrator or the service orchestrator controller.

In one example, the disclosure is directed to a network system comprising a device comprising processing circuitry, the device associated with a first site; and a service orchestrator comprising processing circuitry and a database, the service orchestrator configured to: store network segment prefixes for network segments at a second site in the database, the network segment prefixes having been dynamically learned at the second site via a routing protocol; translate an intent-based security policy specifying a rule for control of network traffic between the first site and a workgroup at the second site to a security policy specifying a segment-specific queryable resource associated with the workgroup at the second site; configure the device based on the security policy to query the segment-specific queryable resource; and in response to a query from the device to the segment-specific queryable resource associated with the workgroup at the second site, transmit at least one of the network segment prefixes for a network segment associated with the workgroup at the second site stored in the database for receipt by the device.

In another example, the disclosure is directed to a method comprising storing, by a device associated with a first site in a network system, a security policy that specifies a segment-specific queryable resource associated with a second site in the network system, wherein the security policy is translated from an intent-based security policy specifying the segment-specific queryable resource associated with the second site; querying, by the device in implementing the security policy, the segment-specific queryable resource associated with the second site; receiving, by the device in response to the query, network segment prefixes associated with one or more network segments at the second site; updating, by the device, a forwarding table of the device with the network segment prefixes associated with the one or more network segments at the second site received in response to the query; and controlling, by the device and based on the updated forwarding tables, network traffic between the first site and the second site.

In another example, the disclosure is directed to a method comprising translating, by a service orchestrator of a network system including a first site and a second site, an intent-based security policy to a security policy for the first site specifying a segment-specific queryable resource associated with the second site; storing, in a database associated with the service orchestrator, network segment prefixes associated with one or more network segments at the second site, the network segment prefixes having been dynamically learned at the second site via a routing protocol; and configuring, by the service orchestrator, a first device associated with the first site based on the security policy to query the segment-specific queryable resource associated with the second site to obtain, in response to the query, the network segment prefixes associated with the one or more network segments at the second site.

The details of one or more examples are set forth in the accompanying drawings and the description below. Other features, objects, and advantages will be apparent from the description and drawings, and from the claims.

Like reference characters refer to like elements throughout the text and figures.

In a typical enterprise branch site network deployment, a customer premises equipment (CPE) device, such as a router, bridge, or switch, works as the gateway for a site. Each CPE device comprises processing circuitry including a LAN (Local Area Network) side interface facing one or more LAN segments for the site. A LAN segment is a section of a LAN that is used by a particular workgroup or department and separated from the rest of the LAN by a bridge, router or switch. Networks may be divided into multiple network segments or subnets for security purposes and to improve traffic flow by filtering out packets that are not destined for the segment.

Each LAN segment is assigned a network address (e.g., an IP address) having a unique prefix, and each device in a LAN segment is assigned a unique IP address having the same prefix as the corresponding LAN segment. The CPE learns and distributes the LAN prefixes to the service provider router providing WAN (Wide Area Network) connectivity or to a centralized cloud-based controller managing the route distribution across the enterprise sites.

In the case of a software-defined wide area network (SD-WAN) deployment, the centralized controller manages access between LAN segments across the network using routing and security policies. The routing policies distribute the LAN prefixes to different routing tables within the network for enabling access to the different LAN segments at the sites. Security policies control the specific traffic flows that are allowed to and/or from the enterprise sites, to provide enterprise security. Security policies are defined in terms of where the traffic to be managed is coming from (the source) and where the traffic to be managed is going to (the destination). To that end, security policies include one or more source addresses and one or more destination addresses.

Intent-based policies allow network administrators to create policies based on a desired outcome or business objective (the so-called “intent”) according to logical business structures such as users, departments, geographical locations, or other workgroups (herein referred to generally as “workgroups”). Network software translates this intent to one or more security policies configured to implement the intent within the network.

Static LAN segment prefixes are manually configured on the LAN side interface and devices on the LAN side are allocated IP addresses from those subnet(s) only. These statically configured prefixes are communicated to the management plane of the centralized controller and can therefore be used to implement LAN segment-level security policies.

However, dynamically learned LAN segment prefixes, such as those learned through a dynamic routing protocol (e.g., the Border Gateway Protocol (BGP) or Open Shortest Path First Protocol (OSPF)), are learned only in the forwarding plane for routing purposes and are typically not learned in the management plane of the centralized controller. In addition, new prefixes may be added and/or withdrawn dynamically at any time without knowledge in the management plane of the centralized controller.

The dynamically learned LAN segment prefixes therefore cannot be used in security policies without continuous monitoring and manual intervention by a network administrator. Manual intervention of the administrator is required whenever a LAN segment prefix is dynamically added or withdrawn. In addition, if a new prefix is dynamically learned at a site, potentially all other sites in the enterprise also need to be configured to reflect that new state. In case of large enterprise sites or data centers where thousands of routes can potentially be learned dynamically, such manual intervention is not scalable and becomes practically impossible. In such examples, the only option available is usage of intent-based security policies having coarse granularity where dynamically learned LAN segment prefixes cannot be used.

In accordance with one or more techniques described herein, the disclosure describes techniques for automatically configuring intent-based security policies in devices managed by a cloud-based network management system. For example, the disclosure describes techniques for automatically configuring intent-based security policies in a software-defined wide area network (SD-WAN) in which devices at one or more sites in the network dynamically learn LAN segment prefixes for one or more LAN segments at the sites. Although described for purposes of example in terms of an SD-WAN environment, the techniques of the disclosure can be applied more broadly to any network implementation where the network management system is cloud based.

In general, an intent-based security policy may express a business intent by defining rules for communication between workgroups at different sites in the network. Each workgroup may be assigned to a particular LAN segment at a site. Each LAN segment at a site is typically separated from the other LAN segments at a site by a bridge, router or switch. An intent-based security policy allows expression of a high level business intent that does not require specific identification of the LAN segment addresses or prefixes associated with the expressed intent. In this way, intent-based security policies allow business application owners to express high-level business needs without needing to know or specify network configuration details such as network specific addresses at each of the sites. In some circumstances, however, such as those in which LAN segment prefixes at one or more sites in the network system are dynamically learned by the CPE devices associated with the sites, it is not possible to implement such fine-grained intent-based security policies because the management plane of the network service orchestrator does not “know” the LAN segment prefixes that were dynamically learned by the CPE device at the site.

In accordance with one or more techniques of this disclosure, a network service orchestrator controller translates the intent expressed an intent-based security policy associated with a first site and a workgroup at a second site to a security policy for the first site. The security policy specifies a segment specific queryable resource associated with the LAN segment at the second site associated with the workgroup specified in the intent-based security policy. The network controller further automatically receives dynamically learned network segment prefixes for the second site and stores the network segment prefixes in a database. Each network segment at each site has an associated segment-specific queryable resource. A CPE device associated with the first site configured with the security policy queries the segment-specific queryable resource associated with the LAN segment at the second site and updates one or more forwarding tables at the CPE device with the dynamically learned prefixes for the LAN segment at the second site received in response to the query. The frequency at which the first CPE device queries the segment-specific queryable resource associated with the LAN segment at the second site may be configurable by the user. The CPE device associated with the first site then forwards network traffic to the LAN segment at the second site based on the updated forwarding tables.

In this way, the intent-based security policy does not specify the segment-specific queryable resource for the LAN segment at the second site nor does it specify the dynamically learned prefixes for the LAN segment at the second site. Rather, the intent-based security policy specifies the workgroup(s) to which the intent-based security policy applies. The service orchestrator controller configures the CPE device associated with the first site with a translated security policy that specifies the segment-specific queryable resource for the LAN segment second site corresponding to the specified workgroup, and, in accordance with the translated security policy, the CPE device associated with the first site queries the segment-specific queryable resource for the LAN segment at the second site to obtain the dynamically learned LAN segment prefix(es) for the segment. Thus, segment-level intent-based security policies may be achieved for those LAN segments in which the LAN segment prefixes are dynamically learned by the CPE device(s) at the site(s).

Unlike systems requiring manual determination and configuration of LAN segment prefixes by network administrators, the techniques of the disclosure provide for automatic update and synchronization of the current state of the LAN segment prefixes at each site across the entire network. The techniques of the disclosure thus permit automatic implementation of fine-grained, LAN segment-level intent-based security policies for networks in which LAN segment prefixes at one or more of the sites in the network are dynamically learned. Because changes to the dynamically learned prefixes at each site are automatically made available via segment-specific queryable resources, and because a security policy is configured such that each site automatically queries a resource to obtain updated prefixes for segments at another site specified in the security policy, time consuming manual intervention is not required in order to implement LAN segment-level intent-based security policies. The implementation of such intent-based security policies may therefore be more efficient and more accurate than systems in which manual intervention is required. In addition, the techniques of this disclosure make automatic implementation of such fine-grained intent-based security policies possible for enterprises having a large number of sites, where continuous monitoring and manual intervention of dynamically learned LAN segment prefixes would be practically impossible.

is a block diagram illustrating an example network systemin accordance with one or more techniques of this disclosure. Network systemincludes one or more enterprise sitesA-N (or simply, sitesA-N), each including one or more network segmentsA-N, respectively. In the examples described herein, network systemis a software-defined wide area network (SD-WAN) system. However, the techniques of this disclosure may also be applicable to other types of network systems, and the disclosure is not limited in this respect.

As described in further detail herein, network systemautomatically applies intent-based security policies in devices managed by a cloud-based network management system. In the example of, network systemincludes automatic implementation of intent-based security policies in a SD-WAN network systemin which network segment prefixes for network segmentsA-N at one or more sitesA-N are dynamically learned. Although described for purposes of example in terms of an SD-WAN environment, the techniques of the disclosure can be applied more broadly to any network implementation where the network management system is cloud based. In addition, for purposes of example, network segmentsA-N are described as Local Area Network (LAN) segments. However, network segmentsA-N may also include other types of network segments, and the disclosure is not limited in this respect.

Network systemfurther includes one or more devicesA-N, each associated with one of sitesA-N, respectively. In the examples described herein, each of devicesA-N may include a customer premises equipment (CPE) device. Each of CPE devicesA-N includes processing circuitry and works as a gateway for the associated site. Each CPE deviceA-N includes a network (e.g., LAN-side) side interface facing the network segmentsA-N associated with the site. Network systemmay optionally include one or more of provider hub(s), cloud, or cloud service. In some cases, the “subscriber” and the SD-WAN provider are the same entity, as where an enterprise deploys and manages network system.

CPE devicesA-N are connected by one or more transport networksA-N (collectively, “transport networks”). CPE devicesA-N use transport networksto send application traffic across the network systemto other of CPE devicesA-N. One or more service providers may deploy transport networks, which may therefore alternatively be referred to as “service provider networks.” Sites attached to service provider networks may be referred to as “subscriber sites.” Transport networksmay offer separate connection types between any of CPE devicesA-N. The connections may be public or private and may be a network service offering, such as a label switched path (LSP), an Ethernet service, and IP service, a public Internet service, or other service that enables an overlay WAN link. Each connection may have a bandwidth limitation and/or specified performance metrics (e.g., latency, loss, jitter, and so forth). Network systemmay be deployed using transport networks based on multiple different types of network service. In the example of, for instance, transport networksmay include one or more different network connection types for supporting communication between any of CPE devicesA-N. This diversity in the transport networksmay be advantageous for an SD-WAN service by facilitating redundancy and by offering differentiated service capabilities to enable matches between cost and service needs of the customer.

In some examples, a service provider may use network systemto offer an SD-WAN service to its subscribers or organizations authorized by such subscribers, which may include cloud providers, cloud networks, and subscriber partners for instance. The service provider may offer multiple SD-WAN services. For example, the SD-WAN service provider may be an enterprise, network/Internet service provider, cloud provider, or other entity.

Network systemincludes a service orchestratorthat manages network services for sitesA-N. Service orchestratorenables application-aware, orchestrated connectivity to deliver IP packets between sites associated with a subscriber according to policies. Control and ownership of service orchestrator, CPE devices, and transport networksmay be distributed among one or more service providers, subscribers, enterprises, or other organizations. Service orchestratormay configure the network configurations of CPE devices, configure security policies on CPE devices, and so forth.

In various examples of network system, CPE devicesA-N, transport networksand service orchestratormay be combined to form a single service orchestration platform having separate service orchestration and domain orchestration layers, deployed as separate devices or appliances, or each may be distributed among one or more components executing on one or more servers deployed in one or more locations. Service orchestratormay be a scalable and cloud deployable platform. For example, the service provider for SD-WAN services in network systemmay deploy service orchestratoror certain aspects of service orchestrato a provider site or to a public, private, or hybrid cloud. As such, operations and functions attributed in this disclosure to service orchestratormay be performed by a separate SD-WAN controller, and vice-versa. Aspects of service orchestration and SD-WAN control may also be distributed from service orchestratoramong one or more of CPE devicesA-N in some example architectures.

Administrators and applications may interface with service orchestratorusing northbound interfaces such as RESTful interfaces (e.g., web-based REST APIs), command-line interfaces, portal or graphical user interfaces, web-based user interface, or other interfaces of service orchestrator(not shown in).

Each of sitesA-C refers to a subscriber location and may represent, for example, a branch office, private cloud, an on-premises spoke, an enterprise hub, a cloud spoke, etc. Provider hub(s)represents a multitenant hub device located in a point-of-presence (POP) on the service provider network. Provider hub(s)may terminate overlay tunnels for overlay networks, which may be of various types such as MPLS over Generic Route Encapsulation (MPLSoGRE) and MPLSoGRE over IPSec (MPLSoGREoIPsec) and MPLS over User Datagram Protocol (MPLSoUDP) tunnels. Provider hub(s)may be the hub in a hub-and-spoke architecture for some example deployments of SD-WAN service.

Cloudrepresents a public, private, or hybrid cloud infrastructure. Cloudmay be a virtual private cloud within a public cloud. Cloud serviceis a resource or higher order service that is offered by a cloud service provider to the subscriber over SD-WAN service. Cloud servicemay be, for instance, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Storage as a Service, or other type of cloud service. Cloud servicemay be offered by infrastructure of cloud.

Internetrepresents the web and/or an Internet-connected service offered via the web. CPE deviceB, in this example, includes an Internet breakoutand assigns application flows to Internet breakoutby policy.

In some examples, each of CPE devicesA-N may include a physical network function or virtual network function for implementing an SD-WAN network service. In various examples, each of CPE devicesA-N may be, for instance, one or more Virtualized Network Functions (VNFs) or a Physical Network Function (PNF) located within any of a service provider data center, provider hub, customer premises, or cloud provider premises. Each of CPE devicesA-N may be a router, security device such as a firewall, a gateway, a WAN acceleration device, a switch, a cloud router, a virtual gateway, a cloud virtual gateway, an SD-WAN device, or other device that implements aspects of an SD-WAN network service.

In various examples, each of CPE devicesA-N may be an on-premises spoke that is a PNF placed at a subscriber branch site in either a hub-and-spoke or full mesh topology; a cloud spoke that is a VNF located in a subscriber's virtual private cloud (VPC) (or equivalent term) within a public cloud; a PNF or VNF located in a service provider cloud operating as a hub device to establish tunnels with the spoke sites (hub devices are multitenant, i.e., shared amongst multiple sites through the use of virtual routing and forwarding instances configured thereon); a PNF or VNF located at an enterprise and operating as an enterprise hub to provide additional hub-like capabilities to a normal spoke site (e.g., act as anchor point for spokes for dynamic virtual private network (VPN) creation, provide an on-premises central breakout option, host a data center department, import routing protocol routes to create a dynamic LAN segment, and meshing with other enterprise hubs that belong to the same tenant/subscriber). Each of CPE devicesA-N may be located at the location of any of sites, provider hub(s), cloud, or cloud service.

CPE devicesA-N are logically located at the boundary between the transport networksand the subscriber network at each siteA-N comprising one or more LAN segmentsA-N, respectively. Each of CPE devicesA-N have network-side interfaces for the transport network connection and subscriber- or LAN-side interfaces for communication with the sites.

Service orchestratormay deploy a SD-WAN service in various architectural topologies, including mesh and hub-and-spoke. A mesh topology is one in which traffic can flow directly from any siteA-N to any other siteA-N. In a dynamic mesh, CPE devicesA-N conserve resources for implementing full-mesh topologies. All of the sites in the full mesh are included in the topology, but the site-to-site VPNs are not brought up until traffic crosses a user-defined threshold called the Dynamic VPN threshold. Sites in the mesh topology may include sites, cloud, and/or cloud service. In a hub-and-spoke topology, all traffic passes through provider hub, more specifically, through CPE deviceN deployed at provider hub. By default, traffic to the Internet also flows through provider hub. In a hub-and-spoke topology, network services (e.g., firewall or other security services) may be applied at the provider hublocation, which allows all network traffic for an SD-WAN service to be processed using the network services at a single site. The SD-WAN service provided by network systemmay have a regional hub topology that combines full mesh and hub-and-spoke using a one or more regional hubs that connect multiple spokes to a broader mesh.

In some examples, service orchestratorincludes one or more virtual route reflectors to facilitate routing of network traffic between CPE devicesA-N in network system. For routing purposes, the LAN segment prefixes associated with LAN segmentsA-N at each site may be statically learned or dynamically learned. Statically learned LAN segment prefixes are assigned manually by an administrator. For dynamically learned LAN segment prefixes, a CPE device associated with a site dynamically learns LAN segment prefixes associated with one or more LAN segments at the site via a dynamic routing protocol. For example, in accordance with a dynamic routing protocol, the virtual route reflectors of service orchestratormay form overlay Border Gateway Protocol (BGP) sessions with CPE devicesA-N to receive, insert, and reflect routes between one or more LAN segmentsA-N within each siteA-N, respectively.

CPE devicesA-N receive ingress network traffic from corresponding subscriber sites and forward the network traffic via transport networksto an intermediate one of CPE devicesA-N or to the destination subscriber site according to routing information provided by service orchestrator.

In accordance with one or more techniques described herein, network systemprovides for automatic implementation of intent-based security policies in which network segment (e.g., LAN segment) prefixes for network (e.g., LAN) segmentsA-N at one or more sitesA-N are dynamically learned by the CPE devicesA-N for each site.

Service orchestratormanages one or more segment-specific queryable resources, each associated with a different one of the one or more network segmentsA-N, through which a CPE deviceA-N associated with one of sitesA-N may obtain dynamically learned prefixes for network segments at another one of sitesA-N. In some examples, the segment-specific queryable resources may include segment-specific Uniform Resource Locators (URLs). In such examples, service orchestratorimplements a feed server that manages queries to the segment-specific feed server Uniform Resource Locators and, in response to each query, returns LAN segment prefix(es) stored in a service orchestrator database corresponding to the queried segment-specific Uniform Resource Locator.

Service orchestratorfurther includes a network controller that translates an intent-based security policy input by a user into a security policy for a first site (for example siteA). The intent-based security policy specifies at least one workgroup corresponding to a network segment at a site (for example one of LAN segmentsB at siteB). The intent-based security policy is a high level policy that specifies the workgroup(s) to which the security policy applies but does not need to specify the network segment or the network segment prefixes associated with the workgroup, for example. The translated security policy configures the CPE at the first site to perform actionable operational tasks designed to carryout the intent expressed in the intent-based security policy. For example, the translated security policy specifies a segment-specific queryable resource associated with the LAN segment at the second site corresponding to the specified workgroup. Service orchestratorconfigures a first CPE deviceA associated with the first siteA based on the translated security policy.

Once configured with the translated security policy, first CPE deviceA associated with the first siteA queries the segment-specific queryable resource associated with the second siteB. In response to the query, the first CPE deviceA receives the LAN segment prefixes associated with the LAN segmentB at the second siteB associated with the workgroup that are maintained in the service orchestrator database. The first CPE deviceA updates one or more forwarding tables with the LAN segment prefixes for the second siteB received in response to the query. The first CPE deviceA then forwards network traffic to the network segment at the second siteB (and thus to devices associated with the workgroup specified in the intent-based security policy) based on the updated forwarding tables.

A CPE deviceA-N configured with a translated intent-based security policy may query a segment-specific Uniform Resource Locator to obtain prefixes associated with one or more LAN segmentsA-N at another one of sitesA-N on a periodic basis. The frequency at which a CPE deviceA-N periodically queries the segment-specific queryable resource associated with segments at another one of sitesA-N may be configurable by the user and may be periodic, at one or more scheduled times, or on demand.

In some examples, service orchestratormay further configure second CPE device (CPE deviceB in this example) according to another version of the security policy to carry out symmetric functions to realize the intent expressed in the intent-based security policy, if any.

The techniques of the present disclosure may provide an advantage over other systems in which intent-based security policies based on network segment prefixes that are dynamically learned at one or more sites in a network are not possible. For example, the techniques of the present disclosure may enable use of more finely-grained intent-based security policies based on workgroups that are associated with network segments at one or more sites. In other words, rather than high level, coarse grained security policies that may only be defined on a site-level basis, the techniques of the present disclosure allow finer-grained intent-based security policies to be defined based on workgroups or other network segment level groups. This fine-grained functionality allows more specificity in the types of business intents that can be realized in an SD-WAN environment.

In addition, by configuring CPE devices at each site to automatically query for and receive updated LAN segment prefixes for one or more other sites in the network, the techniques of the disclosure provide for distributed and periodic synchronization of all sites in the network without human intervention from the network administrator or the service orchestrator controller. Eliminating human intervention in the distribution of network segment prefixes may decrease the possibility of human errors or misconfigurations of devices in the network. Further, the service orchestrator controller does not have to explicitly synchronize the CPE device configurations for dynamically changing LAN segment addresses across the entire customer network; rather, the service orchestrator controller automatically receives and stores the LAN segment prefixes for each of the sites in its database, and the CPE devices themselves keep their mutual states synchronized in a distributed fashion by polling the segment-specific resource(s). As a result, at any point the CPE devices in the network will have the latest state in the network without any intervention from the administrator or the service orchestrator controller.

is a block diagram illustrating an example service orchestrator, in accordance with one or more techniques of this disclosure. As shown in, example service orchestratorincludes a service orchestrator (SO) controller/management interface, a routing manager, an intent compiler, one or more virtual route reflectorsA-N, a feed server, and a database.